OPC UA

Important feature gate

The shipped runtime config supports [runtime.opcua], but wire-level server support depends on building trust-runtime with the opcua-wire feature.

First things to decide

• which symbols should be exposed?
• what endpoint and namespace URI should clients see?
• what security policy and mode are acceptable for the network?
• is anonymous access ever acceptable for this deployment?

Success means you can decide whether OPC UA belongs in this deployment, which symbols are exposed, and whether the runtime has been built with the required wire feature before a client expects to connect.

Use MQTT or Modbus instead when the integration is clearly pub/sub telemetry or register-oriented device exchange.

Example and commissioning guide

This example shows how to expose runtime variables over OPC UA.

Critical feature gate

OPC UA wire support is optional in this build.

• required feature: opcua-wire
• if runtime.opcua.enabled = true without opcua-wire, runtime startup fails with a feature-disabled error

What you learn

• how [runtime.opcua] controls server endpoint and exposure
• how to confirm feature-gated behavior intentionally
• why security defaults should be explicit at commissioning time

Files in this folder

• src/main.st: sample logic (PumpRunning := TankLevel > 50.0)
• src/config.st: global symbols exposed by OPC UA
• runtime.toml: includes [runtime.opcua] section
• io.toml: simulated I/O for protocol-focused bring-up
• trust-lsp.toml: project settings

Step 1: Build with OPC UA feature enabled

Why: this confirms runtime includes wire server code path.

cd examples/communication/opcua
cargo build -p trust-runtime --features opcua-wire
trust-runtime build --project . --sources src

Step 2: Enable OPC UA server in runtime.toml

Why: wire server starts only when explicitly enabled, and this example keeps first boot simple.

This example already ships with these values in runtime.toml:

[runtime.opcua]
enabled = true
listen = "127.0.0.1:4840"
endpoint_path = "/"
namespace_uri = "urn:trust:runtime"
publish_interval_ms = 250
max_nodes = 128
expose = ["TankLevel", "PumpRunning"]
security_policy = "none"
security_mode = "none"
allow_anonymous = true

For production, tighten security by setting:

• security_policy = "basic256sha256"
• security_mode = "sign_and_encrypt"
• allow_anonymous = false with explicit username + password

Step 3: Validate runtime config

Why: catches schema and exposure-pattern issues before launch.

trust-runtime validate --project .

Step 4: Run runtime and verify endpoint

Why: confirms server boot + published node visibility.

trust-runtime run --project .

Use your OPC UA client to connect to opc.tcp://127.0.0.1:4840/ and browse exposed nodes.

Step 5: Confirm expected failure mode (optional but recommended)

Why: verifies your team recognizes feature-gated startup errors.

1. Build without opcua-wire.
2. Keep [runtime.opcua].enabled = true.
3. Start runtime and confirm it fails with the feature-disabled OPC UA message.

Common mistakes

• enabling OPC UA in config without enabling opcua-wire in build
• using broad expose = ["*"] too early in commissioning
• allowing anonymous access in production networks
• skipping startup probe/read validation from a real client

Related

• runtime.toml -> runtime.opcua
• Protocol Matrix